Incorrect Short Circuit Evaluation

Incomplete Variant

Structure: Simple

Description

This vulnerability occurs when a program's conditional statement uses short-circuit evaluation (where later parts of an AND/OR check are skipped if the outcome is already determined), and the skipped portions contain code that changes the program's state. Because these side effects—like updating a variable, checking a permission, or logging an event—are never executed, the application can enter an unexpected and potentially insecure state.

Extended Description

Short-circuit evaluation is a standard programming feature, but relying on it for critical side effects creates hidden logic flaws. Attackers can probe for these inconsistencies—like a skipped authentication check or a missed bounds validation—to exploit the program later. Since code reviews and tests often follow the expected execution path, these skipped code blocks become blind spots, turning a language feature into a security weakness. This practice also makes code harder to maintain and reason about. Future developers might modify the conditional logic without realizing that the order of expressions is security-sensitive, inadvertently reintroducing or creating new vulnerabilities. Treating conditional statements as mere checks, rather than sequences of operations, undermines both security and long-term code health.

Common Consequences 1

Scope: ConfidentialityIntegrityAvailability

Impact: Varies by Context

Widely varied consequences are possible if an attacker is aware of an unexpected state in the product after a conditional. It may lead to information exposure, a system crash, or even complete attacker control of the system.

Potential Mitigations 1

Phase: Implementation

Minimizing the number of statements in a conditional that produce side effects will help to prevent the likelihood of short circuit evaluation to alter control flow in an unexpected way.

Demonstrative Examples 1

The following function attempts to take a size value from a user and allocate an array of that size (we ignore bounds checking for simplicity). The function tries to initialize each spot with the value of its index, that is, A[len-1] = len - 1; A[len-2] = len - 2; ... A[1] = 1; A[0] = 0; However, since the programmer uses the prefix decrement operator, when the conditional is evaluated with i == 1, the decrement will result in a 0 value for the first part of the predicate, causing the second portion to be bypassed via short-circuit evaluation. This means we cannot be sure of what value will be in A[0] when we return the array to the user.

Code Example:Bad
C
c

When compiled and run, the above code will output a privilege level of 1, or PRIV_REGULAR for every user but the user with id 0 since the prefix increment operator used in the if statement will reach zero and short circuit before setting the 0th user's privilege level. Since we used calloc, this privilege will be set to 0, or PRIV_ADMIN.

Likelihood of Exploit

Low

Modes of Introduction

Implementation

Related Weaknesses

ChildOf:

Insufficient Control Flow Management (CWE-691)

Taxonomy Mapping

CLASP
Software Fault Patterns